Securing the Fifth Domain

In May 2010, the final disappearance of the line between physical and virtual security became official when Defense Secretary Robert Gates announced the activation of the U.S. Cyber Command, or CYBERCOM.

Cyberspace, Gates declared, was the fifth domain of security, alongside land, sea, air and space. When it comes to the transformation of military culture that CYBERCOM represents, it's hard to overemphasize the importance of the Secretary's summation. Only a year before CYBERCOM came into being, two leading Army officers, Lt. Col. Gregory Conti and Col. John Surdu, had shown their dissatisfaction with the lack of recognition given to technical expertise in the U.S. military, despite the growing threat from cyberspace.

Our military is confident when it comes to "kinetic" wars involving the deployment of troops in physical theaters, they wrote. "They do little," the two officers continued, "to recognize and develop technical expertise. As a result, the Army, Navy, and Air Force hemorrhage technical talent, leaving the Nation's military forces and our country under-prepared for both the ongoing cyber cold war and the likelihood of major cyberwarfare in the future."

Even though cyberspace is now in its rightful place within the constellation of security concerns, the structural and personnel problems identified by Conti and Surdu persist. Such weaknesses are potentially lethal. No less than General Keith Alexander, the chief of CYBERCOM, told the Los Angeles Times recently, "I believe that we would suffer tremendously if a cyber war were conducted today, as would our adversaries."

Assuming, that is, we could identify those adversaries in the first place. Malware can be developed any place on the planet and sent to travel on elaborate, complex routes, so finding its source can frequently be impossible.

That's why, as I know from 14 years of experience in information security, the best offense is robust defense, based on prevention. In order to ensure that the nightmare scenarios - like the poisoning of domestic water supplies identified in the LA Times piece linked above - don't become a reality, we need to do the following:

Identify what our critical infrastructure involves. In cyberwarfare, the traditional distinction between a military and a civilian target doesn't apply. Our grid, our nuclear power stations, our financial markets and banks, our transportation system, are all vulnerable. An overpowering cyberattack on one or more of these could cripple our country in a matter of seconds. Preserving the networks of the Department of Defense is a paramount task, but it's not the only one.

Support legislation to boost and extend cybersecurity. Congressional Representative James Langevin of Rhode Island has introduced legislation that would shore up the oversight of our critical infrastructure, creating clear lines of responsibility. As Langevin noted in a recent op-ed, "private companies control most of our critical infrastructure, such as utilities. Given their primary responsibility to shareholders, they don't have incentives to act alone and many have not dealt with vulnerabilities." Each day that goes by with those vulnerabilities intact exposes us to enormous risk. In these environments, like many others, it is not a question of "what if vulnerabilities exist" but more of one that contains many vulnerabilities and leaves us asking "when will the vulnerabilities be exploited".

A real public-private partnership. Langevin also noted that "our nation's cyber workforce is in danger of falling behind." Companies in the private security space are well-positioned to find and train the best computer science graduates, turning them into tomorrow's cyberwarriors. For example, my own company, Trustwave's SpiderLabs, recently sponsored and participated in a cybersecurity competition (National CCDC) for students in San Antonio, Texas, pitching them into a simulation of a cyberattack on a major commercial concern. Such experience is invaluable, particularly as cybercriminals and cyberterrorists share many of the same methods. What's required now is a formal partnership that utilizes the vast experience of private sector information security companies.

Keep the public on our side. Since 9/11, our national security debate has often been bitter, as legislators, opinion-formers and the general public have clashed over such issues as the deployment of American forces in the Middle East, the impact of terrorism on privacy and civil rights, and the role of private defense contractors. Cyberwarfare promises to be just as murky. Just as there was no declaration of war, there will be no declaration of victory. We are, sadly, fated to fight this war for the foreseeable future, which is why we need the public to trust us.

For several years now, academic experts on military affairs have progressively expanded the areas which the term "security" covers. We are now in an age where "security" applies to everything: our borders and our airspace, certainly, but crucially our networks and data too. Every electronic exchange carries a potential risk within it. Such is the nature of the fifth domain.